HOME     MENU     SEARCH     NEWSLETTER    
THE ENTERPRISE SECURITY SUPERSITE. UPDATED 5 MINUTES AGO.
You are here: Home / Mobile Security / Android Master Key Exploits Found
Android Master Key Vulnerability Exploited in Two Apps
Android Master Key Vulnerability Exploited in Two Apps
By Seth Fitzgerald / Enterprise Security Today Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
JULY
24
2013
Symantec researchers say the first known use of the Android "master key" vulnerability has been found in the wild. Two applications distributed on unofficial Android marketplaces in China were found to be using the exploit.

When Symantec's team first discussed the vulnerability earlier this month, which was identified by startup Bluebox Security, they said they expected attackers to exploit it quickly because of its ease-of-use. They appear to have been right on the mark.

The two applications discovered in the marketplace were legitimate apps which are meant to help people find and make doctor appointments, however an attacker seems to have added code to the apps in order to make them exploit the Android master key vulnerability.

The Exploit

Both of the previously legitimate applications have been infected with additional code which allows the hacker to remotely control devices, access data, send premium SMS messages, and disable security features.

By using this vulnerability, the hacker modified the applications by adding a new classes.dex file which contains the code, as well as a new manifest file which specifies permissions.

The attackers ability to send out premium texts is one of the most concerning aspects of the exploit. Each premium text that is sent out because of this code will incur a charge, although all of the fees will be directed to the attacker and not to the carrier.

Difficulty Updating

When Symantec first announced that they had discovered this type of flaw, Google automatically released a patch which would protect devices. Even though the patch prevents Nexus devices against attacks, manufacturers still have to push out updates with the patch to non-Nexus phones.

The process of sending out updates can sometimes take months, no matter how important the update is to a device. Millions of Android devices either never receive updates or they receive very few updates, resulting in continuous vulnerabilities to many different attacks.

This type of delay has been one of the major criticisms of Android especially recently, and has resulted in many people praising Apple because of how fast and easily it is able to push out security updates to all of their devices.

Many users are now demanding that carriers and phone manufacturers find a new way of receiving and pushing out important security-based updates. Although design changes require a lot of custom tailoring to individual phones, security updates should take far less time to distribute.

Protecting Your Device

Since it could take months for a security update to be implement on all Android phones, there are a few ways to protect your device from attacks like this one.

Simply downloading Norton Security antivirus should keep any infected applications from harming your device. Another alternative is the Bluebox Security Scanner, which should also provide the necessary protection.

Users with a Nexus or Samsung device will have already had the patch sent out to their phone, but taking these precautions is important for users with any other type of device.

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY INTEREST YOU
High Quality CRM Data: Prevent, detect and fix errors at the point of data entry for Dynamics CRM. Trillium Software helps you achieve an accurate, synchronized, single view of customers. It's time to trust your data. Take a product tour and read CRM Analyst opinions here.
MORE IN MOBILE SECURITY
Product Information and Resources for Technology You Can Use To Boost Your Business
© Copyright 2014 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.